search

nccgroup / sobelow

Security-focused static analysis for the Phoenix Framework
Apache License 2.0
1.66k stars 92 forks source link

Misc.BinToTerm with [:safe] option #141

Closed mhanberg closed 1 year ago

mhanberg commented 1 year ago

The OTP docs imply that the :safe option will stop the creation of new functions, but the Sobelow docs imply it won't.

I tested with OTP 25, and it seems be safe with regard to creating new functions.

Should sobelow still fail if you use the :safe option?

image
realcorvus commented 1 year ago

fn -> :hi end will produce the error you see, but I suspect its related to how the External Term Format works, and the anonymous function is being treated as an atom. Malicious functions can still be created:

% elixir -e ':erlang.term_to_binary(fn _ -> IO.puts("hi"); :ok end) |> then(&File.write!("func.bin", &1))'

% elixir -e 'File.read!("func.bin") |> :erlang.binary_to_term([:safe]) |> IO.inspect()'
#Function<42.3316493/1 in :erl_eval.expr/6>

The Paginator library ran into this exact issue in production - https://paraxial.io/blog/elixir-rce

It was fixed with Plug.Crypto.non_executable_binary_to_term/2. Sobelow should still fail on this it seems.

mhanberg commented 1 year ago

whoa, weird!

Just reproduced myself, thanks for looking into that!